While I believe that antivirus software, firewalls and the like are necessary components of security programs, I don't think people know why they're necessary. Security managers buy and implement these technologies to address likely attacks, but they can't explain their benefits in business terms. The damages caused by viruses are so self-evident that nobody argues about the funding required to buy the antivirus software or subscriptions. In contrast, since security programs are developed to address situations in which potential losses are not as clear, information security managers have difficulty justifying the required funding.
When information security managers understand the real reason that security programs exist, they can implement cost-effective programs that address organizational needs and garner appropriate funding. The real reason a security program exists is to manage risk. And that's why most current security programs are next to useless.
To manage risk, you must first define it. While there are many risk formulas, the one that I have found to be most effective is the following quasi-mathematical construction:
Risk = ((Threat * Vulnerability) / Countermeasure) * Value
In this equation, value is the amount that your information and/or services are worth. Notice that I did not refer to the value of your IT, such as the hardware, software and support personnel. The fact is that hardware and software are fungible, and the cost of its replacement is trivial when compared to the value of the data on a computer. A backup tape, for example, might be costly, but it's worth millions if it's storing credit card numbers -- when you consider the potential financial fraud, the cost of reissuing the cards and the loss of business resulting from the loss of customer confidence.
Several factors contribute to the value of the information under the protection of your security program. These factors include tangible value, nuisance value and value to competitors. For instance, a marked-up customer list may be worthless to your company, but not to your competitor. Antivirus software is considered a requirement because the cost of an infection is so high: Viruses can destroy work that took months to create, bring down your business for a period of time and take hours per system to clean up. The lost productivity alone is significantly more than the software license fees.
If you want to reduce your risk, you could reduce value, but that's not realistic or desirable -- the goal of an organization is, after all, to increase its value.
Threat is the who or what that is out to get you -- entities that can cause you harm if you provide them with the opportunity. Who refers to people or groups that can create loss. These might be malicious people, ranging from script kiddies to competitors to cyberterrorists. They can also be nonmalicious people, such as trusted insiders who make mistakes. What usually refers to events beyond your control, such as hurricanes, earthquakes, fires, floods and power outages.
Vulnerabilities are weaknesses that allow threats to cause you harm. They can be operational (the way that you do business), personnel-related (the way that you hire, supervise and fire people), physical (the weaknesses in your physical assets) or technical (the way that you configure and maintain your computers). It is important to note that any vulnerability can be exploited by any threat. For example, using the default password on an administrator account could be exploited by a script kiddie, a cyberterrorist, a competitor or a well-meaning employee trying to accomplish something "without bothering anybody."
At this point, our quasi-mathematical equation would appear to reach its limits. The mathematical implication is that if you have no threats or no vulnerabilities, you will have no risk. This is the apparent goal of many so-called security programs, and it's where they fail. The reality is that there are always threats and vulnerabilities in any organization. To repeat: Risk can never be eliminated entirely.
If risk can't be eliminated, a practical security plan can reduce it to an acceptable level. Countermeasures are the only part of our formula that can be managed to reduce risk. They are security measures that aim to mitigate threats and/or vulnerabilities. Defining security programs in business terms, your security program is the implementation of countermeasures to mitigate your organization's vulnerabilities.
The reason that I specifically say "vulnerabilities" and do not mention threat is because it is nearly impossible to effectively diminish threat. For example, even though you can avoid putting your data center in an earthquake-prone area, you can't prevent earthquakes. Maybe a background check will help weed out people with criminal records, but you can't predict which people without criminal records will commit illegal acts. You are not going to be able to hunt down all script kiddies on the planet. It's just not realistic to focus on eliminating threats.
The trick is for an information security manager to determine how to best allocate limited countermeasures to mitigate vulnerabilities and thus manage risk. The fact is that not all vulnerabilities should be mitigated. For example, it might cost millions of dollars to reduce a vulnerability that puts an asset of only small value at risk. To take an extreme example, you could assign a security guard to protect a tape 24 hours a day, but if the tape were blank, it would clearly be a waste of money.
The figure below depicts the relationship of countermeasures and vulnerabilities. Assuming that the countermeasures address real vulnerabilities, as you implement countermeasures, you decrease your vulnerabilities. The area under the vulnerabilities curve represents potential loss in financial terms.
Threats enter into this equation when they increase the probability that particular vulnerabilities will be exploited. If you understand the threats, you know what methods attackers are likely to use, what vulnerabilities they are likely to exploit and what type of value they want to compromise. As you increase countermeasures and decrease your potential loss, the cost of your countermeasures -- that is, of your security program -- increases.
While most people assume you want to remove all vulnerabilities, the diagram shows that this is not practical. At some point, you'd spend more money implementing countermeasures than the remaining potential loss. Frankly, you never want to go past, or even come close to, the point where the cost of your countermeasures equals your potential loss. Potential loss is only potential loss, and it is unlikely it will ever be completely realized.
Information security managers have to appropriately balance potential losses with the cost of a security program; this is the process of optimizing risk. In the grand scheme of things, they should determine the maximum acceptable potential loss to their organizations and then figure out what countermeasures will get them to that level. Figure 2 depicts the process as represented on a graph similar to our earlier model.
Potential loss is the driver, not the result, when you optimize your risk. Unfortunately, most security budgets are arbitrarily determined -- sometimes as a simple multiple of the overall IT budget. What does that say about the level of risk you face? If you are given an overabundance of funding, great. Otherwise, you randomly allocate your random budget to do what you can. This is why your risk is improperly managed and thus uncontrolled. In an ideal world, managers would determine acceptable potential loss at a macro level and use this methodology for their whole security programs. The reality is that you will do this at first on a micro level.
Look, for example, at individual vulnerabilities and determine the cost to mitigate each vulnerability. To address a vulnerability, such as poor passwords, first put together an estimate of the organization's financial losses due to such passwords. In a large organization, password changes account for approximately half the calls to the help desk. This provides a tangible value for your calculations. After that, develop a figure representing the costs of security incidents resulting from the exploitation of poor passwords.
Next in the process, look at the cost of an appropriate countermeasure, such as token-based authentication, which might cost a large organization approximately US$1.5 million. That cost can be amortized over three years, so the annual cost would be $500,000. Therefore, if the previously calculated potential loss due to poor passwords is significantly over $500,000, you can justify acquiring the technology.
In the above example, you didn't just address security concerns, but operational concerns as well. If you can do this with all of your proposed countermeasures, you should have an easier time getting the budgets that you need. If, on the other hand, you can't financially justify a countermeasure, it might not be needed.
Optimizing risk doesn't mean that you are guaranteeing perfect security, but that you are consciously acknowledging the costs and benefits of your security program. Not only does it make your organization as secure as one can reasonably make it, it makes you more valuable as well.
Ira Winkler is president of the Internet Security Advisors Group. He is a former National Security Agency analyst and the author of Spies Among Us (Wiley, 2005).